Hello all, Nestor10 here to share a couple things I’ve learned in my day job as an infosec samurai. If you want to know some vague things about me, you can check out my introduction.

So a few months ago, I noticed some emails coming in with really sketchy attachments - a few dozen had been delivered before I noticed, so I needed to quickly figure out what the attachments did!

DISCLAIMER

This breakdown uses a real trojan drop script from late last year. While I’m fairly sure none of the URLs in the script are still hosting any malicious code, you should proceed with the utmost caution. Do not attempt to actually run any portion of the code shown below. If you disregard this warning, you do so at your own risk, and I will not be helping you clean your system of whatever infection you end up with.

I dumped a sample in my trusty sandbox and got to work (you can use reverse.it or malwr.com to do the same). I get some interesting stuff back from dynamic analysis:

So it looks like we’ve called Powershell and then spawned some binaries from that… but we’re still no closer to understanding how to respond to this threat being on our network.

Looking at the code, we can tell that there are some strings being joined in weird ways, there’s some implicit evaluation going on with parentheses, and then we’ve got a whole tone of char codes, all being piped to foreach which is converting them to chars. So just like the original wall of base64 stuff that was run on cmd.exe, this should basically be creating a string to eval somehow.

Here’s where things get hairy - it’s not easy to figure out what string this will produce without eval()ing it ourselves. That means we have to figure out a way to remove its fangs before we proceed. Let’s take a look at the first bit of code:

.((VaRiAbLe '*mdr*').naME[3,11,2]-jOIN'')

Nothing too dangerous there. What happens if we run it?

cmdlet Invoke-Expression at command pipeline position 1

Aha! We found the claws, now we can just run the rest of the script. Here’s the secret it divulges to us:

When I ran the dynamic analysis, it gave me 1 IP to look into… but now that we’ve pulled apart the code, it’s clear that I need to be looking for any traffic to any URL in the $urls string there.

Thanks to our l33t [email protected] skilz, the affected users have been dismissed out the nearest airlock and we can block all the future traffic. Hurray!

Thanks for reading this cringe-worthy, sad excuse for a writeup. It’s my first time putting something like this together for a larger audience than the suits at work, so any feedback you might have will be appreciated immensely by myself. Same goes for any questions.